Kerberos (krb-wg)
-----------------
Charter
Last Modified: 2009-01-12
Current Status: Active Working Group
Chair(s):
Jeffrey Hutzelman
Larry Zhu
Security Area Director(s):
Tim Polk
Pasi Eronen
Security Area Advisor:
Tim Polk
Mailing Lists:
General Discussion:ietf-krb-wg@lists.anl.gov
To Subscribe: https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Archive: https://lists.anl.gov/pipermail/ietf-krb-wg/
Description of Working Group:
Kerberos over the years has been ported to virtually every operating
system. There are at least two open source versions, with numerous
commercial versions based on these and other proprietary
implementations. Kerberos evolution has continued in recent years, with
the development of a new crypto framework, publication of a new version
of the Kerberos specification, support for initial authentication using
public keys, and numerous extensions developed in and out of the IETF.
However, wider deployment and advances in technology bring with them
both new challenges and new opportunities, particularly with regard to
making initial authentication of users to the Kerberos system both
convenient and secure. In addition, several key features remain undefined.
The Kerberos Working Group will continue to improve the core Kerberos
specification, develop extensions to address new needs and technologies
related to improving the process of client authentication, and produce
specifications for missing functionality.
Specifically, the Working Group will:
* Complete existing work:
- ECC for PKINIT (draft-zhu-pkinit-ecc-03.txt)
- Set/Change Password
(draft-ietf-krb-wg-kerberos-set-passwd-05.txt)
- Naming Constraints (draft-ietf-krb-wg-naming-02.txt)
- Anonymity (draft-ietf-krb-wg-anon-03.txt)
- Hash agility for GSS-KRB5
(draft-ietf-krb-wg-gss-cb-hash-agility-00.txt)
- Hash agility for PKINIT (draft-ietf-krb-wg-pkinit-alg-agility-01.txt)
- Referrals (draft-ietf-krb-wg-kerberos-referrals-08.txt)
* Prepare and advance a specification for an updated, backward-
compatible version of the Kerberos version 5 protocol which supports
non-ASCII principal and realm names, salt strings, and passwords;
insures that those portions of the protocol which are not encrypted are
nonetheless authenticated whenever possible; and enables future protocol
revisions and extensions.
* Develop extensions which reduce or eliminate exposure of Kerberos
clients' long-term keys to attack and enable the use of alternate
mechanisms for initial authentication. This task will comprise the
following items:
- A model and framework for preauthentication mechanisms
- A mechanism for providing a protected channel for carrying
preauthentication data and/or a reply key between a Kerberos
client and KDC, within the KDC_REQ/KDC_REP exchange.
- Support for One-Time Passwords
- Support for hardware authentication tokens
- Support for using TLS to secure communications with Kerberos KDCs.
* Examine issues related to the current cross-realm model, produce a
list of problems to be solved, and evaluate approaches to solving them.
* Develop extensions to Kerberos and a GSS-API mechanism (IAKERB) to
enable Kerberos clients to communicate with a KDC by using a GSS-API
acceptor as a proxy.
* Produce a data model for information needed by the KDC, and an LDAP
schema for management of that data.
Goals and Milestones:
Done First meeting
Done Submit the Kerberos Extensions document to the IESG for
consideration as a Proposed standard.
Done Complete first draft of Pre-auth Framework
Done Complete first draft of Extensions
Done Submit K5-GSS-V2 document to IESG for consideration as a
Proposed Standard
Done Last Call on OCSP for PKINIT
Done Consensus on direction for Change/Set password
Done PKINIT to IESG
Done Enctype Negotiation to IESG
Done Last Call on PKINIT ECC
Done TCP Extensibility to IESG
Done ECC for PKINIT to IESG
Done Naming Constraints to IESG
Done Anonymity to IESG
Sep 2007 WGLC on preauth framework
Done WGLC on OTP
Done WGLC on data model
Done WGLC on cross-realm issues
Jan 2008 WGLC on Referrals
Dec 2008 Set/Change Password to IESG
Dec 2008 Hash agility for GSS-KRB5 to IESG
Dec 2008 Hash agility for PKINIT to IESG
Dec 2008 Anonymity back to IESG
Done WGLC on IAKERB
Jan 2009 WGLC on STARTTLS
Feb 2009 Data Model to IESG
Feb 2009 OTP to IESG
Internet-Drafts:
Posted Revised I-D Title
------ ------- --------------------------------------------
May 2003 Nov 2008
Kerberos Set/Change Key/Password Protocol Version 2
Feb 2004 Feb 2009
A Generalized Framework for Kerberos Pre-Authentication
Jun 2006 Oct 2008
Anonymity Support for Kerberos
Nov 2006 Nov 2008
Kerberos Version 5 GSS-API Channel Binding Hash Agility
Oct 2007 Oct 2008
Problem statement on the cross-realm operation of Kerberos
Oct 2007 Dec 2008
OTP Pre-authentication
Oct 2007 Nov 2008
Initial and Pass Through Authentication Using Kerberos V5 and
the GSS- API (IAKERB)
Dec 2007 Mar 2009
An information model for Kerberos version 5
Dec 2008 Nov 2008
Kerberos ticket extensions
Request For Comments:
RFC Stat Published Title
------- -- ----------- ------------------------------------
RFC3962Standard Feb 2005 AES Encryption for Kerberos 5
RFC3961Standard Feb 2005 Encryption and Checksum Specifications for Kerberos 5
RFC4120Standard Jul 2005 The Kerberos Network Authentication Service (V5)
RFC4121Standard Jul 2005 The Kerberos Version 5 Generic Security Service
Application Program Interface (GSS-API) Mechanism:
Version 2
RFC4537 PS Jun 2006 Kerberos Cryptosystem Negotiation Extension
RFC4557 PS Jun 2006 Online Certificate Status Protocol (OCSP) Support for
Public Key Cryptography for Initial Authentication in
Kerberos (PKINIT)
RFC4556 PS Jun 2006 Public Key Cryptography for Initial Authentication in
Kerberos (PKINIT)
RFC5021 PS Aug 2007 Extended Kerberos Version 5 Key Distribution Center
(KDC) Exchanges Over TCP
RFC5349 I Sep 2008 Elliptic Curve Cryptography (ECC) Support for Public Key
Cryptography for Initial Authentication in Kerberos
(PKINIT)